Every user pwned, how's that $4bn looking now, Verizon?

With Equifax testifying in US Congress today about its own massive security failings, someone at Yahoo! presumably thought now would be a good time to bury bad news – but some things are too large to hide.

In a filing on Tuesday to America's financial watchdogs, Yahoo!, now owned by Verizon under the Oath brand, admitted the total number of user accounts illegally accessed by hackers in 2013 wasn't the 500 million earlier reported, nor the one billion it later confessed, but all of them – all three billion accounts.

The miserable web giant said that following its 2016 takeover by Verizon – which has its own security consultancy – it "recently obtained new intelligence" that indicated that the network intrusion was much larger than had previously been thought. In fact, it was as large as it could be.

That means account records – including names, addresses, phone numbers, and weakly hashed passwords – for three billion accounts worldwide were exposed to hackers. In its statement today to the SEC, Yahoo! admitted:

Yahoo, now part of Oath, today announced that it is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on December 14, 2016. At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected. In 2016, Yahoo took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account. Yahoo also notified users via a notice on its website.

Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.

“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” added Chandra McMahon, chief information security officer for Verizon.

“Our investment in Yahoo! is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”

2016: Yahoo: 1bn accounts hacked
2017: Yahoo: Make that 3bn.
2020: Alien life found on Mars
2021: Yahoo: Yeah, they were hacked too.

Despite their words, Verizon management are most likely seething about the news. When the initial hack was disclosed, the telco managed to knock $350m off the $4.8bn asking price for the company. Had it known about the size of the actual hack it could have got a considerably bigger discount.

As for the hackers themselves, the US authorities have indicted four men over the infiltration. American prosecutors claim the hack was ordered by the Russian intelligence services and carried out by hackers-for-hire. One of those alleged miscreants is now in a US jail awaiting trial.

You'd also imaging Yahoo!'s erstwhile CEO isn't too bothered. After negotiating the deal Marissa Meyer laughed all the way to the bank with a $55m golden parachute, and is now reportedly looking around for another challenge before retiring. Equifax needs a new CEO – just saying. ®

PS: Don't delete that Yahoo! account: park it...

🚨 Secure your Yahoo account with 2FA, but do not delete it. Deleting it will recycle your account after 30 days — and anyone can hijack it.